CVE-2025-15488

Vulnerability

Overview The Responsive Plus WordPress plugin, versions prior to 3.4.3, contains a vulnerability that allows unauthenticated attackers to execute arbitrary WordPress shortcodes. The flaw resides in the update_responsive_woo_free_shipping_left_shortcode AJAX action, which fails to properly validate the content_rech_data parameter before processing it as a shortcode [1]. This lack of authorization and input validation enables any unauthenticated user to trigger the action.

Exploitation

An attacker can exploit this vulnerability by sending a crafted AJAX request to the vulnerable endpoint without needing any authentication. The content_rech_data parameter is passed directly into a shortcode execution function, allowing the attacker to supply any registered shortcode as the payload [1]. No special privileges or prior access are required, making the attack surface broad.

Impact

Successful exploitation allows an attacker to execute arbitrary shortcodes available in the WordPress installation. Depending on the shortcodes present, this could lead to a range of outcomes, such as reading sensitive data, modifying content, or performing other actions that the shortcode's functionality permits. The CVSS v3 base score of 6.5 (Medium) reflects the potential for significant impact without requiring authentication [1].

Mitigation

The vulnerability has been fixed in version 3.4.3 of the Responsive Plus plugin. Users are strongly advised to update to the latest version immediately. No workarounds are mentioned in the advisory [1].